Re: disable traceroute to my host

From: Peter Pentchev (roam@orbitel.bg)
Date: 06/28/01

• Next message: Igor Podlesny: "Re[2]: disable traceroute to my host"
• Previous message: Igor Podlesny: "Re[2]: disable traceroute to my host"
• In reply to: Igor Podlesny: "Re[2]: disable traceroute to my host"
• Next in thread: Igor Podlesny: "Re[2]: disable traceroute to my host"
• Reply: Igor Podlesny: "Re[2]: disable traceroute to my host"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Thu, 28 Jun 2001 11:11:20 +0300
From: Peter Pentchev <roam@orbitel.bg>
To: Igor Podlesny <poige@morning.ru>

On Thu, Jun 28, 2001 at 02:30:21PM +0700, Igor Podlesny wrote:
>
> > On Wed, Jun 27, 2001 at 03:17:21PM -0400, alexus wrote:
> >> sounds good.. although what is tcp there for?
>
> > You can traceroute with any protocol. TCP is just as easy as UDP.
>
> > As people keep saying over and over, there really is no way to stop
> > traceroutes without severely breaking things.
>
> I disagree. cause don't see any real hurt of disallowing
> icmp-echo-reply (0), icmp-unreach.icmp-unreach-port (3.3) and
> icmp-timxceed (11).
>
> the first is already in relatively common practice

This is acceptable, although it might confuse somebody who's new
to the hostile world of the today's Internet :)

> the second is similar to blackhole BSD's feature (yeah... it doesn't
> fit RFC, but the cruel world ;)

..and if you are running an UDP service, it would confuse the hell
out of people unable to connect to it when the server is down.

> the third is just an informative message (like the second isn't
> RFC-compilant but partially)

..an informative message that can tell somebody exactly why they
can't connect to your system, instead of having their connections
just hang. As I mentioned before, there *are* OS's which will set
stupidly low TTL's on outgoing packets.

G'luck,
Peter

-- 
This sentence would be seven words long if it were six words shorter.
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

• Next message: Igor Podlesny: "Re[2]: disable traceroute to my host"
• Previous message: Igor Podlesny: "Re[2]: disable traceroute to my host"
• In reply to: Igor Podlesny: "Re[2]: disable traceroute to my host"
• Next in thread: Igor Podlesny: "Re[2]: disable traceroute to my host"
• Reply: Igor Podlesny: "Re[2]: disable traceroute to my host"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages traceroute error :Permission Denied ... I run 4.7 and I get the following error when I issue a traceroute command: ... *traceroute: sendto: Permission denied ... 00300 allow tcp from any to any 80 ... 00400 allow udp from any to any 80 ... (freebsd-questions) NFS problem with recent 2.6 kernels (also serial console weirdness) ... 100000 2 tcp 111 portmapper ... 100000 2 udp 111 portmapper ... mounted filesystem with ordered data mode. ... Mounted root (ext3 filesystem) readonly. ... (Linux-Kernel) Solaris 9 <---> linux (2.6.8) NFS file locking problem? ... to the same file placed on nfs filesystem. ... 100000 4 tcp 111 portmapper ... 100000 4 udp 111 portmapper ... 100021 1 udp 4045 nlockmgr ... (SunManagers) Urgent help with Secure NFS. ... have that option - I'm just attempting to tunnel all NFS traffic to the ... 100000 4 tcp 111 rpcbind ... 100000 4 udp 111 rpcbind ... 100021 1 tcp 49153 nlockmgr ... (SSH) Re: nfs error ... kernel: nfs: server ... So if your system uses ypbind be sure that is working properly before ... 100000 2 tcp 111 portmapper ... 100000 2 udp 111 portmapper ... (comp.sys.sun.admin)

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint